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Abstract 


Software product lines are now an established framework for soft- 
ware design. They are specified by special diagrams called feature 
models. For formal analysis, the latter are usually encoded by Boolean 
propositional theories. We discuss a major deficiency of this semantics, 
and show that it can be fixed by considering a product to be an instan- 
tiation process rather than its final result. We call intermediate states 
of this process partial products, and argue that what a feature model 
really defines is a poset of its partial products. We argue that such 
structures can be viewed as special Kripke structure that we call partial 
product Kripke structures, ppKS. To specify these Kripke structures, 
we propose a CTL-based logic, called partial product CTL, ppC'TL. We 
show how to represent a feature model M by a ppCTL theory ML(M) 
(ML stands for modal logic) such that any ppKS satisfying the theory 
is equal to the partial product line determined by M. Hence, ML(M) 
can be considered a sound and complete representation of M/. We also 
discuss several applications of the modal logic view in feature modeling, 
including refactoring of feature models. 
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1 Introduction 


The software product line approach is well-known in the software industry. 
Products in a product line (PL) share some common mandatory features, 
and differ by having some optional features that allow the user (or developer) 
to configure the product the user wants (e.g., MS Office, a Photoshop, or 
the Linux kernel). Instead of producing a multitude of separate products, 
the vendor designs a single PL encompassing a variety of products, which 
results in a significant reduction in development time and cost [32]. Methods 
of specifying PLs and checking the validity of a PL against a specification is 
an active research area. 

The most common method for designing a PL is 
to build a feature model (FM); below we will often say 
just model. A toy example is shown in the inset figure. | eng brakes 
Model M, says that a (root feature called) car must have 
an engine and brakes (black bullets denote mandatory M, abs 
subfeatures), and brakes can optionally (note the hollow 
bullet) be equipped with an anti-skidding system. The model specifies a PL 
consisting of two products: P = {car, eng, brakes} and P’ = PU{abs}. 

As industrial models may be based on thousands of features inter-related 
in complex ways [27], they require tools for their management and analysis, 
and thus should be represented by formal objects processable by tools. A 
common approach is to consider features as atomic propositions, and view 
a model as a theory in the Boolean propositional logic (BL), whose valid 
valuations are to be exactly the valid products defined by the model [3]. For 
example, model Mj represents the BL theory (i.e., a set of Boolean propo- 
sitional formulas) BL(M) = {car} U {eng—>car, brakes—>car, abs—brakes} U 
{car—eng, car—brakes}: the first three implications encode subfeature de- 
pendencies (a feature can appear in a product only if its parent is in the 
product), the last two implications encode the mandatory dependencies 
between features (if a parent of a mandatory feature is included in the 
product, then it must included too), and the root feature must be always 
included in the product. We call this semantics of models Boolean. 


Car 


The Boolean semantics gave rise to a series of prominent applications for 
analysis of industrial size PLs [14, 19,37]. However, it has an almost evident 
drawback of misrepresenting models’ hierarchical structure. Indeed, the sec- 
ond inset figure shows a model M2 that is essentially different from M (and 
is, in fact, pathological), but has the same set of products, {P, P’}, deter- 
mined by an equivalent Boolean theory BL(M2) = {car—eng, brakes—eng, 
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abs—>eng }U{eng—>car, eng—>brakes} ~ BL(M1): only grouping of implica- 
tions has changed, but it is immaterial for Boolean logic. The core of the 
problem is that two different dependencies (the parent feature and a manda- 
tory subfeature) are similarly encoded by implication, and hence are not 
semantically distinguished. 


We are not the first to have noticed this drawback, 
e.g., it is mentioned in [37] (where models’ semantics not eng 
captured by Boolean logic is called ontological), and many a 
researchers and practitioners in the field are probably  |car brakes abs 
aware of the situation. Nevertheless, as far as we know, M 
no alternative to the Boolean logic semantics of feature 2 
modeling has been proposed in the literature, which we 
think is theoretically and conceptually unsatisfactory. Even more importantly, 
inadequate logical foundations for feature modeling hinder practical analyses: 
as important information contained in models is not captured by their 
BL-encoding, this information is either missing from analyses, or treated 
informally, or hacked in an ad hoc way. In a sense, this is yet another 
instance of a known software engineering problem, when semantics is hidden 
in the application code rather than explicated in the specification, with all 
its negative consequences for software testing, debugging, maintenance, and 
communication between the stakeholders. 


Our main observation is that the key notion of feature modeling—a 
product built from features—should be considered as an instantiation process 
rather than its final result. We call intermediate states of this process partial 
products, and argue that what a model M really specifies is a partially 
ordered set of partial products, which we call a partial product line (PPL) 
generated by M. The commonly considered products of M (we call them 
full) only form a subset of M’s PPL. We then show that any PPL can 
be viewed as an instance of a special type of Kripke structures, which we 
axiomatically define and call a partial product Kripke structure (ppKS). The 
latter are specifiable by a suitable version of modal logic, which we call 
partial product CTL (ppCTL), as it is basically a fragment of CTL enriched 
with a constant modality that only holds in states representing full products. 
We show that any model M can be represented by a ppCTL (modal) theory 
ML(M) accurately specifying M’s intended semantics: for any ppKS K, 
K | ML(M) iff K is equal to M’s PPL, and hence ML(M) is a sound and 
complete representation of the model. Then we can replace models by the 
respective ppCTL-theories, which are well amenable to formal analysis and 
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automated processing. 


In a broader perspective, we want to show that behavioural foundations 
of feature modeling are mathematically interesting, and worth the attention 
of the Theoretical Computer Science community. We will describe several 
open problems that we believe are mathematically interesting and practically 
useful. Especially intriguing are connections to concurrency modeling. In 
fact, PLs can be seen as a special interpretation of configuration structures 
[40]: features are events, partial products are configurations, and PPLs 
are configuration structures; feature models can then be seen as a far 
reaching generalization of Winskel’s event structures and other formalisms 
for specifying dependencies between events. It appears that the syntactical 
aspects of specifying concurrency (including transaction mechanisms), i.e., 
having a convenient and suggestive notation suitable for practitioners, have 
not received much attention in concurrency modeling. This is where we 
believe feature modeling can make a non-trivial contribution. We will discuss 
some details in Sect. 8.1. On the other hand, we would like to have the 
paper readable by a feature modeling researcher, and to convince her that 
the logic of models is modal rather than Boolean. Therefore, we pay special 
attention to the motivation of our framework: we want first to validate the 
mathematical framework, and only then explore it formally. 


This paper extends our previous shorter paper [16]. Here we provide the 
proofs of our results that have been omitted in [16]: we explicate the structure 
of modal theories extracted from models, and present detailed proofs following 
this structure. Moreover, we discuss bisimulation and simulation relations 
on ppKSs. We also discuss refactoring of feature models in the entirely new 
Sect. 6, and show that the notion of PPL, i.e., ppKS semantics for feature 
models, captures not only constraints embodied in models, but their feature 
hierarchy as well (the latter was always a challenging issue for the Boolean 
semantics [37]). Therefore we called the ppKS semantics faithful. We have 
also added an analysis of a special version of ppKS semantics, in which 
the i2c-principle is not assumed. The paper also provides a more complete 
review of the related work, and extends the future work section. 


Our plan for the paper is as follows. Section 2 is motivational: we 
describe the basics of feature modeling, and show how the deficiency of 
the Boolean semantics can be fixed by introducing partial products and 
transitions between them. In Sect. 3, the notions of models and PPLs they 
generate are formalized. In Sect. 4, we introduce the notion of ppKSs as 
immediate abstraction of PPLs, and ppCTL as a language to specify ppKSs’ 
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properties. In this section, we also discuss bisimulation and simulation 
relations on ppKSs and show that they are equal to identity and substructure 
relations over ppKSs, respectively. We show, step-by-step, how to translate 
a model into a ppCTL-theory, and prove our soundness and completeness 
theorems in Sect. 5. Sect. 6 discusses the notion of refactoring of feature 
models by using bisimulation relation on their PPLs. An important result of 
the study in this section is that PPLs are faithful to the semantics of models. 
In Sect. 7, we discuss some practical applications. Related work is discussed 
in Sect. 8, and future work in Sect. 9. Section 10 concludes. Appendices 
A.1 and A.2 respectively show complete BL and ppCTL encodings of our 
running example in Fig. 1. 


2 Feature Models and Partial Product Lines 


This section aims to motivate the formal framework we develop in the paper. 
In Sect. 2.1, we discuss the basics of feature modeling, and in Sect. 2.2 we 
introduce partial products and PPLs. We begin with PPLs generated by 
simple models, which can be readily explained in lattice-theoretic terms. 
Then (Sect. 2.3) we show that PPLs generated by complex models are more 
naturally, and even necessarily, to be considered as transition systems. 


2.1 Basics of Feature Modeling 


A model is a graphical structure presenting a hierarchical decomposition of 
features with some possible crosscutting constraints (CCs) between them. 
Figure 1 gives an example. It is a tree of features, whose root names the 
product (’car’ in this case), and edges relate a feature to its subfeatures. 
Edges with black bullets denote mandatory subfeatures: every car must 
have an eng (engine), a gear, and brakes. The hollow-ended edge says that 
brakes can optionally be equipped with abs. Black angles denote OR-groups: 
an engine can be either gas (gasoline), or elec (electric), or both. Hollow 
angles denote XOR-groups (eXclusive OR): a gear is either mnl (manual) or 
atm (automatic) but not both; it must be supplied with oil as dictated by 
the black-bullet edge. The x-ended arc says that an electric engine cannot 
be combined with a manual gear, and the arrow-headed arc says that an 
automatic gear requires ABS. According to the model, the set of features 
{car, eng, gas, gear, mnl, oil, brakes} is a valid product, but replacing the 
gasoline engine by electric, or removal of oil, would make the product invalid. 
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In this way, the model compactly specifies seven valid products amongst the 
set. of 2° possible combinations of 9 non-root features (the root is always 
included), and exhibits dependencies between choices. 


car 
eng gear brakes 
gas elec mnl_ atmoil abs 


X * 
Xo” XA 
Figure 1: An model 


In the Boolean view of feature modeling, a model is a representation 
of a BL theory. For example, the theory encoded by the model in Fig. 1 
consists of a set of implications denoting subfeature dependencies and unary 
mandatory dependencies as explained in the introduction, plus three im- 
plications denoting grouped mandatoriness: {eng—gas V elec, gear—mnl V 
atm, mnlAatm—>} (with L denoting False), plus two implications encoding 
CCs: {elec \ mnl-L,atm— abs}. Since the root must be always included 
in a valid product, we also add the theory car. However, as we saw in the 
Introduction, a BL encoding is deficient. 


2.2 Partial Product Lines: Products as Processes 


What is lost in the BL-encoding is the dynamic nature of the notion of 
products. A model defines not just a set of valid products but the very 
way these products are to be (dis)assembled step by step from constituent 
features. Correspondingly, a PL appears as a transition system initialized at 
the root feature (say, car for model M, in Fig. 2a) and gradually progressing 
towards fuller products (say, {car} — {car,eng} — {car,eng, brakes} or 
{car} — {car, brakes} — {car, brakes, abs} — {car, brakes, abs, eng}); we call 
such sequences instantiation paths. 

The graph in Fig. 2(b1) specifies all possible instantiation paths for 
M, (c, e, b, a stand for car, eng, brakes, abs, resp., to make the figure 
compact). Nodes in the graph denote partial products, i.e., valid products 


Faithful Modeling of Product Lines with Kripke 
Structures and Modal Logic 75 


{c,e} _{c,b} {e,c} {e,a} {e,b} 
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(a) (b1) (b2) 


Figure 2: From models to PPLs: simple cases 


with, perhaps, some mandatory features missing: for example, product {c,e} 
is missing feature b, and product {c,b} is missing feature e. In contrast, 
products {e} and {c,a} are invalid as they contain a feature without its 
parent; such products do not occur in the graph. As a rule, we will call 
partial products just products. Product {c,e,b} is full (complete) as it has all 
mandatory subfeatures of its member-features; nodes denoting full products 
are framed. (Note that product {c,e,b} is full but not terminal, whereas 
the bottom product is both full and terminal.) Edges in the graph denote 
inclusions between products. Each edge encodes adding a single feature to 
the product at the source of the edge; in text, we will often denote such edges 
by an arrow and write, e.g., {c} —>. {c,e}, where the subscript denotes the 
added feature. We call the instantiation graph described above the partial 
product line determined by model M,, and write PPL,. In a similar way, 
the PPL of the second model, PPL, is built in Fig. 2(b2). We see that 
although both models have the same set of full products (i.e., are Boolean 
semantics equivalent), their PPLs are essentially different both structurally 
(6 nodes and 7 edges in PPL versus 8 nodes and 12 edges in PPL2), and 
in the content of products (e.g., products {c} and {c,b} present in PPL, 
but absent in PPL2, whereas {e} and {e,a} are present in PPL2 but absent 
from PPL). This essential difference between PPLs properly reflects the 
essential difference between the models. 
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2.3. Partial Product Lines: From lattices to transition sys- 
tems 


Generating PPLs PPL; ,2 from models Mj 9 in Fig. 2 can be readily explained 
in lattice-theoretic terms. Let us first forget about mandatory bullets, and 
consider all features as optional. Then both models are just trees, and 
hence are posets, even join semi-lattices (joins go up in feature trees). Valid 
products of model M; are upward-closed sets of features (filters), and form 
a lattice (consider Fig. 2(b1,b2) as Hasse diagrams), whose join is set union, 
and meet is intersection. If we freely add meets (go down) to posets M12 
(eng A brakes etc.), and thus freely generate lattices L(M;), i = 1,2, over the 
respective posets, then lattices L(M;) and PPL; will be dually isomorphic 
(Birkhoff duality). 

The forgotten mandatoriness of some features appears as incompleteness 
of some objects; we call them proper partial products. Partial products 
closed under mandatoriness are full. Thus, PPLs of simple models such as in 
Fig. 2(a) are their filter lattices with distinguished subsets of full products. 
In the next section, we will argue that this lattice-theoretic view does not 
work for more complex models. 

Figure 3 (left) shows a fragment of the model in Fig. 1, in which, for 
uniformity, we have presented the XOR-group as an OR-group with a new 
CC added to the tree (note the x-ended arc between mnl and atm)?. To 
build the PPL, we follow the idea described above, and first consider M3 as 
a pure tree-based poset with all the extra-structure (denoted by black bullets 
and black triangles) removed. Figure 3 (right) describes a part of the filter 
lattice as a Hasse diagram (ignore the difference between solid and dashed 
edges for a while); to ease reading, the number of letters in the acronym for 
a feature corresponds to its level in the tree, e.g., c stands for car, en for eng 
etc. 

Now let us consider how the additional structure embodied in the model 
influences the PPL. Two CCs force us to exclude the bottom central and 
right products from the PPL; they are shown in brown-red and the respective 
edges are dashed. To specify this lattice-theoretically, we add to the lattice 
of features a universal bottom element | (a feature to be a subfeature of any 
feature), and write two defining equations: ele mnl = | and mnlA atm = L. 
Then, in the filter lattice, the formal down-join of products {c,en,ele,ge} and 
{c,ge,mnl,en} “blow up” and become equal to the set of all features (“False 


3Recall that an x-ended arc between two incomparable features denotes an exclusive 
constraint CC between them. 
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Figure 3: From models to PPLs: Complex case 


implies everything”). The same happens with the other pair of conflicting 
products. 

Next we consider the mandatoriness structure of M3 (given by black 
bullets and triangles). This structure determines a subset of the PPL 
consisting of full products (not shown in Fig. 3) as we discussed above. In 
addition, mandatoriness affects the set of valid partial products as well. 
Consider the product P = {c,en, ge} at the center of the diagram. The left 
instantiation path leading to this product, {c} —*en {c, en} —+ge P is not 
good because gear was added to engine before the latter is fully assembled 
(a mandatory choice between being electric or gasoline, or both, has still not 
been made). Jumping to another branch from inside of the branch being 
processed can be considered a poor design practice that the modeler may 
want to prohibit by declaring the corresponding transition as invalid. Then 
transition {c, ge} —+en P should be also invalid as engine is added before 
gear instantiation is completed. Hence, product P becomes unreachable, 
and should be removed from the PPL. (In the diagram, invalid edges are 
dashed (red with a color display), and the products at the ends of such edges 
are invalid too.) 

Thus, a reasonable requirement for the instantiation process is that 
processing a new branch of the feature tree should only begin after processing 
of the current branch has reached a full product. We call this requirement 
instantiate-to-completion (i2c) by analogy with the run-to-completion trans- 
action mechanism in behavior modeling (indeed, instantiating a branch of a 
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feature tree can be seen as a transaction). 


as car,eng car,gear 
eng gear Law | 


car,eng,gear car,gear,oil 


car,eng,gear, oil 


Figure 4: Exclusion of an edge due to i2c 


oil 


Importantly, i2c prohibits transitions rather than products, and it is 
possible to have a product with some instantiation paths into it being legal 
(and hence the product is legal as well), but some paths to the product being 
illegal. Figure 4 shows a simple example with model My, and its PPL. In 
the latter, the “diagonal” transition {car, gear}——{car, eng, gear} violates 
i2c and must be removed. However, its target product is still reachable 
from {car, eng} as the latter is a fully instantiated product. Hence, the only 
element excluded by i2c is the diagonal dashed transition. 

Note that the i2c principle may substantially reduce the complexity 
of the PPL for a given model, as it may excludes many transitions and/or 
states from the PPL, without loss of any information of the model. It follows 
from this observation that a PPL can be richer than its lattice of partial 
products (transition exclusion cannot be explained lattice-theoretically), and 
transition systems/Kripke structures and modal logic are needed. 

Moreover, even if all inclusions are transitions, Boolean logic is too 
poor to express important semantic properties embodied in PPLs. For 
example, we may want to say that every product can be completed to a full 
product, and every full product is a result of such a completion. Or, we 
may want to say that if a product P has some feature f, then in some of its 
partial completions P’, a feature g should appear. Or, if a product P has a 
feature f, then any full product completing P must have a feature g, and 
so on. Specification of such properties needs some version of modal logic. 
In general, since modal logic is more expressive than Boolean, it provides a 
more expressive language for cross-cutting constraints over feature models. 
Later in Sect. 7, we will provide an example, in which some practically 
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reasonable constraints cannot be expressed in Boolean logic and require a 
modal specification. 

Thus, the transition relation is an important (and independent) compo- 
nent of the general PPL structure. As soon as transitions become first-class 
citizens, it makes sense to distinguish full products by supplying them, and 
only them, with identity loops. That is, each framed product in our figures 
describing PPLs, should be assumed to have a loop transition to itself. Such 
loops do not add (nor remove) any feature from the product, and have a clear 
semantic meaning: the instantiation process can stay in a full product state 
indefinitely. This way, the transition relation in a PPL would be left-total,* 
which makes PPLs standard Kripke structures used for the semantics of 
CTL, in which transition relations must be left-total. 


3 Feature models and their PPLs: formally 


In Sect. 3.1, we give a formal definition of a (feature) model that supports all 
our work in the paper. Sect. 3.2 defines a Boolean logic encoding of a model, 
and the corresponding notions of a full and a partial products. Sect. 3.3 
formally defines a PPL as a transition systems. 


3.1 Feature Models 


Several versions of feature models and their Boolean semantics are uniformly 
formalized in [36]. We develop yet another formalization of tree-based models 
as a quadruple of components, which is basically equivalent to the above, but 
our choice of the components provides feature models with a structure that 
supports all our work in the paper. Particularly, this structure is important 
for translating models into Boolean and modal theories, and for specifying 
their relationships and refactoring, and hence facilitating reverse engineering 
of models from product lines. Finally, we will need this structure in our 
future work on feature model management, for which we will need to define 
morphisms between models 

Typical models are trees of features with some extra structures, like in 
Fig. 1. In our framework, mandatory features and XOR-groups are derived 
constructs. A mandatory feature can be seen as a singleton OR-group. An 
XOR-group can be expressed by an OR-group with some additional exclusive 
constraints between its elements. 


4A relation RC Ax B is left-total if Va € A, ib € B: (a,b) ER 
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Definition 1 (Feature Diagrams) A feature diagram (FD) isa pair Tor = 
(T, OR) of the following components. 
(i) T = (F,r, *) is a tree whose nodes are features: F denotes the set 


of all features, r € F is the root, and function _' maps each non-root feature 


f ¢F_, Pp \ {r} to its parent f?. The inverse function that assigns to 


each feature the set of its children (called subfeatures) is denoted by f; this 
set is empty for leaves. It is easy to see that the set of f’s siblings is the set 
(f*), \ {f}. The set of all ancestors and all descendants of a feature f are 
denoted by f*t and f\y, respectively. 

Features f,g are called incomparable, f#g, if neither of them is a 
descendant of the other. We write #2" for the set {G CF: G4 
Q and f#g for all f,g € G} c 2”. 

(ii) OR is a function that assigns to each feature f € Fa set OR(f) C 
2/ (possibly empty) of disjoint subsets of f’s children called OR-groups. 
If a group G € OR(f) is a singleton {f’} for some f’ € f,, we say that 
f’ is a mandatory subfeature of f. For example, in Fig. 1, OR(gear) = 
{{mnl, aut}, {oil}}, and oil is a mandatory subfeature of gear. 

Elements in set O(f) = fi \UOR(F) are called optional subfeatures of 
f. For example, in Fig. 1, OR(brakes) = @, and abs is an optional subfeature 
of brakes. 


An model is a feature diagram plus some possible exclusive and/or inclusive 
crosscutting constraints: 


Definition 2 (Feature Models) A feature model (model) is a triple M = 
(Tor,EX, IN) with Tor a feature diagram as defined above, and two 
additional components defined below: 
(i) EX C #2" is a set of exclusive dependencies between features. For 
example, in Fig. 1, EX = {{elec, mnl}, {mnl, atm} }. 
(ii) IN c #2" x #2” is a set of inclusive dependencies between fea- 
tures. A member of this set is interpreted (and written) as an implication 
(fidA..-Afm) 2 (g1V..-V9n). For example, feature model in Fig. 1 has 
IN = {atm — abs}. 

Exclusive and inclusive dependencies are also called cross-cutting con- 
straints (CCs).° 


Thus, an model is a tree of features J’ endowed with three extra 
structures OR, EX, and ZN. We will sometimes write it as a quadru- 


°It is easy to see that any Boolean constraint /formula can be expressed as a conjunction 
of our EX and ZN dependencies. 
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ple M = (T,OR,EX,IN). If needed, we will subscript M’s components 
with index yy, e.g., write Fy, for the set of features F’. Note that an model 
is a purely syntactic object contrary to the common usage of term ‘model’ 


in logic. The class of all feature models over the same set of features F' is 
denoted by FM(F’). 


3.2 Propositional encoding of models 


We will first present the general idea in Sect. 3.2.1, then show how to modify 
it to manage the major drawback of the standard Boolean encoding in 
Sect. 3.2.2, and finally discuss a propositional encoding of i2c in Sect. 3.2.3 


3.2.1 The approach 


A common approach to formalizing the PL (of full products) of a given 
model is to use Boolean propositional logic [3]. Features are considered as 
atomic propositions, and dependencies between features are specified by 
logical formulas. For example, if a feature f’ is a subfeature of feature f, 
we have an implication f’ > f (if a product has feature f’, it must have 
feature f as well). If {g1,g2} is an OR-group of f’s subfeatures, we write 
f > (g1V 92); if, in addition, features g1, g2 are mutually exclusive, we write 
gi\g2 > L. In this way, given a model M = (T,OR,EX, IN), each of its 
four components gives rise to a respective propositional theory (i.e.,a set of 
formulas) as shown in the upper four rows of Table 1: later we will discuss 
the four theories in detail and explain the !-superscripts.° 

Together these theories constitute theory BL'(M/), and a set of features 
P is a legal full product for M iff P  BL'(M). Here — denotes the standard 
satisfaction relation between a set of atomic propositions (features in our 
context) P and a Boolean theory WU: we define P — W iff P — w for all e¥, 
and for a Boolean formula w = w(f1,..., fn) built over atomic propositions 
fis---fn, we define P | w iff W(fi,..., fn) =1, where fj; = 1 for f; € P and 
f; = 0 otherwise.” 


Since publishing the seminal paper [27], this propositional view of 
feature modeling became common and has been used in both theoretical 


5\/ G and AG represent the conjunction and the disjunction of all formulas in a set of 
formulas G. 

” Later we will also need semantic consequence between theories, Vy /K W2, which 
means P — Wy. for any P | W,. Also note that P — W is equivalent to the universal 
validity of the formula A{pi,...,Pn,7q1,---7q%} > AV, where propositions gq; are all 
those that do not occur into P, and —q; denotes negation of q;. 
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and practice-oriented work [3, 14,37]. 


Table 1: Boolean theories extracted from a model M = (Tor, EX, IN) 


1) BLO) ={T Sr uly ae: Fes eit 
2) BL(EX) ={AG > Ll: Ge éx} 

3') BL'(OR) ={f > VG: fe F,GEeOR(f)} 
14+3') BL'(Tor) = BL(T) UBL'(OR) 


all!)  BL'(M) = BL(T) UBL(€X) U BL'(OR) UBL! (ZN) 


3) BL**(Tor) = {f Ag > (ABL(T5p)) V (ABLE (T3p)) : ft = 97} 


( 

( 

( 

( 

(4') BLY(ZN) ={AG VG’: (G4,@)€IN} 
(all 

( 

(all) BL(M) =BL(T) UBL(EX) UBL*(Tor) 


3.2.2. Enabling vs. Causality, or Full vs. Partial Products 


The encoding above has a drawback that we discussed in the Introduction: 
two different relationships between features (being a subfeature, f’ > f, and 
being a mandatory subfeature, f — f’) are similarly encoded. This implies 
f © f' for any mandatory subfeature f’ of f, and leads to misrepresentation 
of the hierarchical structure of a model. With a more refined approach, the 
two relationships should be represented differently. 

The subfeature relationship is fundamental, and any product having a 
subfeature f’ but missing its superfeature f should be considered ill-formed; 
we can say that superfeature f enables its subfeature f’ and all reasonable 
products must respect enabling. In contrast, if f’ is a mandatory subfeature 
of f, a product having f but missing f’ is just incomplete rather than 
ill-formed. We can say that feature f causes f’ so that partial products 
violating causality are possible, and only full products must respect it.® 

Thus, we have two Boolean theories for the same model M. One is the 
theory of partial products and another is the theory of full products. The 
theory of partial products is denoted by BL(M) (for now without the bang 


SQur choice of terms ‘enabling’ and ’causal’ for the two types of structural dependencies 
is somewhat arbitrary, and was partly motivated by similarities between feature and event 
modeling discussed later in Sect. 8.1. 
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superscript): it encodes the basic structural dependencies a well-formed 
partial product must satisfy, and thus defines all partial products. This 
theory consists of three components as specified in row (all) in Table 1: 
BL(T) is the BL-encoding of subfeature dependencies (row (1)), BL(E) 
is the BL-encoding of exclusive dependencies (row (2)), and in Sect. 3.2.3 
we consider yet another ingredient—the BL encoding of the i2c-condition, 
BL'“(Tor). 

The other propositional theory, M’s full product theory BL! (M), consists 
of four components. Two components are BL(T’) and BL(E%) as above, the 
third one is the BL-encoding BL'(OR) of the mandatoriness dependencies 
embodied in the OR-structure (row (3')), and the fourth is a Boolean en- 
coding BL'(ZN) of the inclusive crosscutting constraints (row(4')), which 
we treat as mandatory for only full products rather than affecting instan- 
tiation (i.e., as causal rather than enabling). We also consider the theory 
BL'(Tor) as the union of BL(T) and BL'(OR). With a more refined ap- 
proach to feature modeling, a crosscutting constraint should be labeled as 
either causal or enabling, but with the current feature modeling practice, 
crosscutting constraints are not labeled and we thus consider them as causal, 
i.e., constraining full products only. 


Definition 3 (Full Products) A full product over an model M = (Tor, 
EX,IN) is a set of features P C F satisfying theory BL'(M) defined in 
Table 1 in row (all'). The set of all full products is called M’s full product 
set and denoted by FPy. Thus, FPy ={P CF: P| BL'(M)}. 


The definition above is equivalent to the standard one, except that we use 
the term full product rather than product. To define partial products, we 
need to introduce one more ingredient of the instantiation theory. 


3.2.3 Instantiate to Completion and Transient Conflicts. 


Consider once again PPL; in Fig. 3, from which product {c, en, ge} is 
excluded as violating the i2c principle. Note that in order to specify this 
exclusion propositionally, we cannot declare that features en and ge are 
mutually exclusive and write {en\ge — |} because further down the lattice 
they are combined in product {c,en, ele, ge} below {c,en}, and in product 
{c, ge, mnl, en} below {c, ge} as well. In other words, the conflict between 
features en and ge is transient rather than permanent, and its propositional 
specification is not trivial. We solve this problem as follows. 
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Definition 4 (Induced Subtrees) Let Tor = (T,OR) be a feature di- 
agram over a set of features F, and f € F. A feature subtree induced 
by f is a pair Ds = (T!,OR’) with T! being the tree under f, ie., 
i ees (fi, U{f}, f, 7), and mapping ORS is inherited from OR, i.e., for 
any g € fiy, OR (g) = OR(y). 


The theory formalizes the idea that if a valid product contains two incompa- 
rable features, then at least one of these features must be fully instantiated 
within the product. Now we can specify theory BL'*°(ToR) as shown in row 
(3) in Table 1. 


Definition 5 (Partial Products) A partial product over model M = (Tor, 

EX,IN) is a set of features P C F satisfying the instantiation theory BL(/) 

specified in row (all) in Table 1. (Recall that a full product is a set of features 

satisfying theory BL'(M ).) We denote the set of all partial products by 

PP(M) or sometimes PP y. Thus, PP(M) ={PC F: P — BL(M)}. 
We will often call partial products just products. 


The following proposition is obvious. 


Proposition 1 For any model M and any product P, P — BL'(M) > 
P §& BL(M), ie., BL'(M) — BL(M). Hence, full products as defined in 
Definition 3 form a subset of partial products, FP(M) C PP(M). 


Appendix A.1 represents the Boolean logic theory of the whole model in 
Fig. 1. Note that transition exclusion discussed in Sect. 2.38 cannot be 
explained with Boolean logic and needs a modal logic; we will give a suitable 
logic and show how it works in Sect. 5. 


3.3. PPLs as Transition Systems 


In this section, we consider how partial products are related. The problem 
we address is when a valid product P can be augmented with a feature 
f € P. so that product P’ = PU{f} is valid as well. We then write P —> P’ 
and call the pair (P, P’) a valid (elementary or step) transition. 

Two necessary conditions are obvious: the parent f! must be in P, and 
f should not be in conflict with features in P, that is, P’ EF BL(T) UBL(E%). 
Compatibility with i2c is more complicated: we need to formalize relative 
completeness of P in its branch. 
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Definition 6 (Relative fullness) Given a product P and a feature f ¢ P, 
the following theory (continuing the list in Table 1) is defined: 


(3)p 5 BL*<(P, f) = L{BL'(T3p) :9 € PN(F)} 


where je denotes the subtree induced by feature g as described in Defini- 
tion 4. (Note that set PN (ft); may be empty, and then theory BLY"(P; f) is 
also empty.) We say P is fully instantiated with respect to f if P K BL'°(P, f). 


For example, it is easy to check that for model Mq in Fig. 4, for product 
P,={car,eng} and feature f; = gear, we have P; / BL'*°(P,, f,) while 
for Py={car, gear} and fy = eng, Py ¥ BL'°(Py, fo) because BE) = 
{gear — oil} and Py ¥ {gear — oil}. 

Now, we are at the point where we can give a formal definition for valid 
transitions: 


Definition 7 (Valid Transitions) Let P be a product. Pair (P, P’) is a 
valid transition, we write P —> P’, iff one of the following two possibilities 
(a), (b) holds. 

(a) P’ = Pw {f} for some feature f ¢ P such that the following 
three conditions hold: (al) P’ — BL(T), (a2) P’ & BL(E#), and (a3) 
PEBL?(P f). 

(b) P’ = P and P is a full product. 

That is, P —> P’ iff ((a1) A (a2) A (a3)) V (0). 


For example, the dashed (red) transition in Fig. 4 is not valid because 
P = {car, gear} | BL'*°(P, eng). The following result is important. 


Theorem 1 If P is a valid partial product and P —> P’, then P’ is a valid 
partial product. 


Proof: If P’ = P, the proposition is obvious. Consider now the case of 
P’ = Pw{f} with P’ K BL(T)UBL(EX) and P — BL'“(P, f). We need to 
prove that P’ — BL'*°(Tor). Let g € P be an arbitrary feature with g'=f", 
i.c., g € PA(ft). By definition of relative fullness, if P / BL'*°(P, f), then 
definitely P — BL Cr) (one of the union’s components). This implies 
P’ & BL'(T3,), and hence P’ | U LBL CEe g € P,g'=f")}. The 
above statement, along with P — BL“ (Tor), implies that P’ |= {fg > 
(ABL(T5p))V(ABL (TS) 

Finally, we formalize PPLs as follows. 
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Definition 8 (Partial Product Lines) Let M = (Tor,EX,IN) be an 
model. The partial product line (PPL) determined by M is a triple P(M) = 
(PP mu, —m, Im) with the set PP yy of partial products given by Definition 5, 
transition relations —> 4 given by Definition 7 (so that full products, and 
only them, are equipped with self-loops), and the initial product Ij, = {r} 
consisting of the root feature. 


Below in Sect. 6, we show that PPLs provide a faithful semantics for 
models, which captures both the products and the tree-structure of feature 
models (see Discussion on page 101). 


4 Partial Product Kripke Structures 


In this section, we introduce partial product Kripke structures, which are 
an immediate abstraction of PPLs generated by models. We then discuss 
simulation and bisimulation relations on these special Kripke structures. 

By Kripke structures, we understand a family of mathematical structures 
of the following format. We first fix a set A of atomic propositions, and then 
consider a tuple K = (W, R,L) with W a set of (possible) worlds or states. 
R a binary transition relation over W, and L a labelling function W — 24, 
which maps a world to the set of propositions true in this world. Partial 
product lines motivate a specialization of the notion, in which worlds (called 
partial products) are identified with sets of atomic propositions (features), 
and hence labelling is not needed. Full products are identified by loops on 
corresponding states. These structures also satisfy some special properties 
defined in the following definition. 


Definition 9 (partial product Kripke Structure) Let F be a finite set 
(of features). A partial product Kripke structure (ppKS) over F is a triple 
K =(PP,—,1) with PP c 2¥ a set of non-empty (partial) products, 
I € PP the initial singleton product (i.e., J = {r} for some r € F’), and 
—>C PP x PP a binary left-total transition relation®. In addition, the 
following three conditions hold (—+* denotes the transitive closure of —>): 
(Singletonicity) For all P,P’ ¢ PP, if P —> P’ and P # P’, then P’=Pw{ f} 
for some f ¢ P. 

(Reachability) For all P € PP, I —>* P, i.e., P is reachable from I. 
(Self-Loops Only) For all P,P’ € PP, if (P —3+ P’! —3* P), then P= P’, 
i.e., every loop is a self-loop. 


° A binary relation R over a set A is called left-total if Va € A, 4b € A: R(a,b). 
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A product P with P —> P is called full. The set of full products is 
denoted by FP. 


The components of a ppKS K are subscripted with x if needed, e.g., PP x. 
We denote the class of all ppKSs built over a set of features F by KS(F). 
Note that any partial product in a ppKS eventually evolves into a full product 
because F' is finite, —> is left-total, and all loops are self-loops. It means 
that any ppKS enjoys the following property 

(Finality) For all P € PP, there exists a full product P’ such that P —>* P’, 
where —>* denotes the reflexive transitive closure of —>. 

The following statement is an obvious corollary of Definition 8. 


Corollary 1 Let M ¢ FM(F)) be a model. Its partial product line is an 
ppKS, i.e., P(Z) € KS(F). 


We will also need the notion of sub-ppKS. 


Definition 10 (Sub-ppKS) Let K and K’ be two ppKSs. We say K is a 
sub-ppKS of K’, denoted by K <,y, K’, iff PPK C PPK, and —KC— x. 


It is easy to see that K ~<,,, K’ implies Ix = Ip. 

Consider two Kripke structures, K and K’, which are respectively built 
over the set of atomic propositions A and A’ such that AC A’. A relation 
R from the states of K to the states of K’ is called a simulation [7] if for 
any states s and s’, s Rs’ if the label of s is a subset of the label of s’ and 
for any transition s —> ¢t in K there is a transition s’ —> ¢t’ in K’ such 
that t Rt’. We say that K’ simulates K and write K =, K’ if there is 
a simulation relation R from K to K’ such that so R s5, where so and s 
are the initial states in K and K’, respectively. We say that two Kripke 
structures K and K’ are simulation equivalent if K <gim K’ and K' Xgim K. 
The following theorem shows that the restriction of the simulation relation 
on ppKSs is equal to the substructure relation on them. 


Theorem 2 Given two ppKSs, K € KS(F) and Kk’ € KS(F”) with Fc F’, 
K Xsim K' iff k Xsub Ke, 


Proof. Consider two ppKSs, K and K’, as above. We will first show that 
(=>) K sim K’ implies PP x C PPK: and —+~C—> x’. 

Suppose that K =<,im K’ via a simulation relation R C PPK x PPR. 
Since R([K,I«:) and both Ix, Ix, are singletons, Ix = Ix. In particular, 
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PPKOAPP RK #@. 

Let PE PPK APPR: such that R(P, P’). Consider a transition P —~ Q 
(in K). Since K sim K’, there exists a transition P —>, Q’ (in K’) such 
that R(Q,Q’). Due to the singletonicity condition of ppKSs (see Defini- 
tion 9), there are f € F,f’ € F” such that f, f’ ¢ P,Q = PU{f}, and 
Q’=PU{f'}. Since Q C Q’ (as R(Q, Q’)) and f, f’ ¢ P, f must be equal 
to f’, which implies that Q = Q’. Hence, for any P € PPKOPP x, the 
following holds: 

(*) R(P,P) > (V(P x Q) HP 3x7 Q), R(Q,Q)). 

Now the equality Ix = Ix’, the reachability condition of ppKSs (see Defini- 
tion 9), and condition (*) imply that PPx C PPK and —>+~C—>+ x. 

To prove the converse implication, 


(=) (PP k C PPK) \ (KC x’) => K X<gim x. 
note that if K is a substructure of K’, then K’ simulates K via the identity 
relation id C PPK xX PPK. 


Notation. Since the two relations <,;,, and <,,, on ppKSs are the same, 
we drop the subscripts and write K = K’ for both relations. 


Browne et al in [6] defined a notion of equivalence between two finite 
Kripke structures - usually called bisimulation in the literature [7]. Two 
states s and s’ are called bisimilar if their labels of atomic propositions are 
the same and for any transition s —> t (s’ —> t’, respectively) there is a 
transition s’ —> t/ (s — t, respectively) such that ¢ and ?¢’ are bisimilar. 
We say that two Kripke structures K, K’ are bisimilar and write K ~ K’' if 
their initial states are bisimilar. Theorem 2 implies 


Corollary 2 Given two ppKSs K and K’' as above, the following three 
statements are equivalent: 

(a) Kw Kk’ 

(b) K = K' 

(c) KxK' and k’xkK 


Proof: Since states in ppKSs are identified by their sets of labels, (a) = 
(b) holds. (a) = (c) is obvious. 


Thus, while for general Kripke structures simulation equivalence is 
weaker than bisimulation [7], this is not the case for ppKSs. 
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5 Modal Logic Theory of Feature Models 


There is a rich structure in P(M) (for a given model M) that is not captured 
by the fact that P(Z) is a ppKS—the class KS(F’) is too big. We want to 
characterize P(/) in a more precise way by defining an as small as possible 
class of ppKSs to which P(M) would provably belong. Hence, we need a 
logic for defining classes of ppKSs by specifying a ppKS’s properties. 

In this section, we first introduce a modal logic called partial product 
CTL (ppCTL), which is tailored for specifying partial product Kripke struc- 
tures’ properties. Then, given a model M over a finite set of features F’, we 
build two ppCTL theories from M’s data, ML-(/) and ML(M) (ML refers 
to Modal Logic), such that the former theory is a subset of the latter, and 
the following holds for any ppKS Kk € KS(F): 


Theorem 3 (Soundness) P(M) / ML(M). 
Theorem 4 (Semi-completeness) K / ML-(M) implies kK =< P(M). 
Theorem 5 (Completeness) K | ML() iff K = P(M). 


Completeness allows us to replace models by the respective ppCTL- 
theories, which are highly amenable to formal analysis and automated 
processing. Semi-completeness is useful (as an auxiliary intermediate step 
to completeness, but also) for some important practical problems in feature 
modeling such as refactoring and specialization [38] and some other analysis 
operations [4] over models. (See Sect. 6 and Sect. 7.1 for more discussion. ) 
We build theories ML~(M) and ML(M) from small component theories, 
which specify the respective properties of M’s PPL in terms of ppCTL. 

The structure of the rest of the section is as follows: Sect. 5.1 introduces 
ppCTL. In Sect. 5.2, we start by discussing the structure of the entire compo- 


nent family, and explain how the compound theories, ML-(M), ML(M), and 


ML, (M) ae ML(M) \ ML-(M) are built from them. Then, in Section 5.3, 


we zoom into component theories and explain how they are built. Finally, in 
Sect. 5.4, we prove the correctness of the theorems. Sect. 5.5 discusses PPLs 
without i2c. Appendix A.2 presents full the ppCTL theory of the model in 
Fig. 1. 


5.1 Partial Product CTL (ppCTL) 


Logic ppCTL is a fragment of CTL enriched with a constant (zero-ary) 
modality ! to capture full products. 
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Definition 11 (partial product CTL) Partial product CTL (ppCTL) 
formulas are defined using a finite set of propositional letters F’, an ordinary 
signature of propositional connectives: constant (zero-ary) T (truth), unary 
= (negation) and binary V (disjunction) connectives, and a modal signature 
consisting of modal operators: constant (zero-ary) modality !, and three 
CTL unary modalities AX, AF, and AG. The well-formed ppCTL-formulas @ 
are given by the following grammar: 


o:= f|T|7nd| dV ¢| AX¢d| AFé | AGG |!, where f € F. 


Other propositional and modal connectives are defined dually via negation 
as usual: |, A, EX, EF, EG are the duals of T, V, AX, AG, AF, respectively. 
Also, we define a unary modality O'¢ as a shorthand for AG(! > ¢). Let 
ppCT L(F) denote the set of all ppCTL-formulas over F’. 


The semantics of ppCTL-formulas is given using the class KS(F’) of 
ppKSs built over the same set of features F. Let K € KS(F’) be a ppKS 
(PP, —,1). We first define a satisfaction relation / between a product 
PeéPP and a formula ¢ € ppCTL(F) by structural induction on ¢. This 
is done in Table 2. 


Table 2: Rules of satisfiability 


PEs iff f € P (for f € F) 

Bea always holds 

PeEaé if Pk ¢ 

PEoévy iff (P = ¢) or (PF y) 

PE AX¢ iff ViP —> P’). PE @ 

PE AFo iff V(P=P, — Py, >...) H>1: RE 
PE AG@ iff V(P=P, —> Py —...)Wi>1: RE od 
Pies iff P —> P 


Given two theories ¢, ¢’ € ppCTL(F), we say that ¢ satisfies ¢’ and 
write dE ¢ iff VK E KS(F):K EF ¢>K EW. We say that ¢ and ¢’ are 
semantically equivalent iff dE ¢! and ¢' - ¢. 
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5.2 Structure of the component family 


Table 3: Component and Compound Theories 


M Semi-completeness To Ensure Com- || Completeness 
BL ML pleteness 
iu BL(T) @ ML¢ (7) ML(T) 
EX BL(EX) a) a) ML(EX) 
OR a) MLi (OR) a) ML'(OR) 
IN a) MLC (ZN) a) ML'(ZN) 
i2c | BL*°(Tor) | ML2°* (Tor) a) ML“(Tor) 
FPu a) ML-(M) ML! (/) ML'(M) 
PPu | BL(M) g MLS (T)U ML°(M) 
MLY (Tor, EX) 
P(M) ML<(M) ML, (MZ) ML(M/) 


All component theories we need are referenced in Table 3. Its bottom 
row consists of the three compound theories mentioned above; the last 
(rightmost) column theory is the union of the theories in its row—this is a 
general rule for the entire table. Another general rule is that each theory 
in the bottom row is the union of all components above it in its column(s) 
(and ML-(M) is the union of all components in two columns). For further 
references, we call theories in the bottom row and the last column ezternal: 
all other theories are internal. 

Rows of the table are indexed by structural concerns to be logically 
encoded; columns are named by the goals of these encodings: to provide 
semi-completeness with respect to full product line and PPL (split into 
Boolean and modal components), and to provide completeness with respect 
to full product line and PPL: a theory in the last column is the union of 
all theories in its row, and thus ensures completeness with respect to the 
concern corresponding to the row. A theory in this column is called the 
complete theory of the corresponding component. Each internal theory is 
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an encoding of the corresponding concern for the corresponding goal. For 
example, theory MLE (OR) modally specifies the OR structure to provide 
semi-completeness with respect to full product line (note the ! superindex). 
For another example, BL'*“(Tor) is a Boolean encoding of the i2c-principle, 
and its neighbor on the right is the additional modal constraint for the same 
concern—it is needed to ensure semi-completeness. The empty neighbour on 
the right means that nothing should be added (for this concern) to ensure 
completeness. We do not intend to make the table strictly logical: its goal is 
to reference component theories and explain their intentions. 


5.3 The Content of Component Theories 


Now we specify the internal theories, and explain their meaning. Boolean 
theories are specified in Table 1. Modal theories are defined in Table 4 based 
on the following motivation. 


Table 4: Definitions of (basic) ppCTL theories 


OR AAP SOV Gt fer GEORG) 


( 
( 
MLU(ZN) ={AG > O'VG": (G,G’) EIN} 
( 
( 


MLZ (Tor) = {f 7g A 7ABL'(Tép) 3 HEXG: £9 € FF #9,f =9"} 
ML* (Tor, EX) = {ft A A BL**(f) An\V BL°*(f) + EXf: f € F}, 
BL**(f) ={g > ABL (Te) :9f€ Figt =f 94 f} 
BL’*(f) ={A(@\ {f}):@ € €4, f eG} 


The theory ML‘, (7) states that if a feature f is visited in a current 
state (partial product) without visiting any of its children (note = \/ f| in 
the theory), then, for each child g of f, if adding g to the current state does 
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not violate the exclusive constraints (note — \/ BL®*(g) in the theory), then 
there must be a state immediately accessible from the current state visiting 
g, ie, FfAaVW FAAV BL&*(g) + EXg. The union of this theory and BL(T) 
generates a complete theory ML(T) (Table 3). A ppKS K satisfying ML(T) 
is guaranteed to capture the tree structure T. 

Since exclusive constraints in a model talk only about semi-completeness 
of partial products, the corresponding yL+ theory is empty. Thus, ML(EX) = 
BL(EX). 

The theories corresponding to OR deal with full products (states with 
self-loop transitions). The theory ML-(OR) is the modal version of the 
Boolean theory BL'(OR) (Table 1). Consider an OR group G with Gt = f. 
The theory MLE (OR) states that if f is visited in a current state, then at 
least one of the elements involved in G must be visited in any final products 
accessible from the current state, i.e., f > O' VG. 


The nature of the theory corresponding to ZN is like OR’s: it also 
deals only with full products. The theory ML- (ZN) is the modal version of 
the Boolean theory BL'(ZN). Let (G,G") be an inclusive constraint. The 
theory MLE (ZN) states that if all the elements involved in G are visited in 
a current state, then at least one of the elements in G’ must be visited in 
any final products accessible from the current state, i.e., |G > VG. 

Obviously, the two theories ML-(OR) and MLU(ZN) are derivable 
from the theory MLi- (M). MLE(M ) holding in a ppKS guarantees that any 
full product in the ppKS is a full product of M. On the other hand, any 
ppKS satisfying the theory ML'(M) (= MLE(M) U ML! (M)) must include 
all full products of M and only them. 7 

Recall that the theory BL'*°(Topr) (Table 1) guarantees that the partial 
products of the PPL respect the i2c principle. However, as discussed in 
Sect. 2.3, transitions also have to respect this principle. The modal theory 
ML2°* (Tor) excludes the invalid transitions due to the i2c principle (see 
Table 4). This theory states that if a feature f is visited in a current state 


without being completely instantiated (note 7 A BL'(T, ia in the theory), 
then there must not be any states immediately accessible from the current 
state including any newly added sibling g of f, i.e., for any sibling g of f: 
fAn7gA aABL' (The) — —=EXg. Then, the complete theory relating to i2c, 
ML2°(Tor), would be the union of BL'7°(Tor) and ML'2°* (Tor). 

Recall that, according to Definition 5, a set of features is a valid 
partial product iff it satisfies the Boolean theory BL(M). However, any 
ppKS satisfying this theory does not necessarily include all valid partial 
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products. To ensure that the ppKS includes all partial products, we add 
modal theories ML (T) and ML‘’(Tor,€¥). Consider a state P and a 
feature f such that f ¢ P and ft € P. The theory ML{’ (Tor, €*) states 
that if adding f to P does not violate the exclusive constraints and the 
i2c principle (note /\ BL#“(f) and —\/ BL®* (f) in the theory, respectively), 
then there must be an immediately accessible state from P including f, i-e., 
fl A A BL**(f) An\V BL°*(f) — EXf. The corresponding complete theory 
is denoted by ML, (JM) and is equal to BL(.M) U ML, (T) UML‘? (Tor, EX). 

Any ppKS K satisfying the semi-completeness theory ML-(M) would 
be a substructure of P(M), i.e., P(M) simulates K. On the other hand, the 
theory ML(M), which is the union of ML- (MM) and ML, (MM), guarantees 
completeness, i.e., any ppKS K satisfying ML(/) is equal to the PPL of M. 
These are proven in the next subsection. 


5.4 Soundness, Semi-Completeness, and Completeness: Proofs 


Our plan is as follows. We first prove soundness, then semi-completeness. The 
completeness theorem will be a direct corollary of Lemma 1 and Lemma 2. 


Soundness: P(M) — ML(M). 
Proof: To prove this theorem, we need to show that P(/) satisfies any 
components of the theory ML(M). 

(a) P(M) & BL(M) is obvious by to Definition 5. Thus, all the Boolean 
theories from Table 3 are satisfied by P(M). 

(b) P(M) & ML{ (7): 

Let Pe PPu, f € P,g € fl, PNf, = , and P - VBL**(Q), 
we, PE FASVPFATV BL&*(g). We want to show that P / EXg. Let 
P’ = PU{g}. According to (a), P - BL(T)UBL(E). Since the g’s parent is 
already in P’, adding g to P does not violate BL(T). Since P 4 \/ BL** (g), 
adding g to P also does not violate BL(E). Therefore, P’ — BL(T) U 
BL(EX). Since all subfeatures of f are absent in P, BL'*°(P, f) = @ (note 
Definition 6) and hence P - BL'*°(P, f). Since P’ — BL(T) UBL(E2X) and 
PE_BL°(P, f), according to Definition 7, there is a transition P —>,y P’. 
Therefore, P — EXg. 

(c) P(M) — ML'(M/) follows obviously, since the set of states with 
self-loops in P(M) is equal to the set of all full products of M. Note that 
this also implies that P(/) satisfies both theories ML¢ (OR) and MLt (IN), 
since these two theories are derivable from the theory ML} (M). 


ar 


NS 


Faithful Modeling of Product Lines with Kripke 
Structures and Modal Logic 95 


(d) P(M) & ML2°* (To) follows obviously. Indeed, this theory guar- 
antees that there would not be an invalid transition due to i2c principle. 

(c) P(M) & ML (Tor, EX): 

Let f and P be a feature and a partial product of M, respectively, 
such that f1 € P, P & BL'°(f), and P / VBL°*(f). There are two 
cases: (1) f € P, (2) f ¢ P. Due to the singletonicity condition of ppKSs 
(Definition 9), (1) trivially leads us to the result. In case (2): According 
to Definition 7, there exists a transition P —>,, PU {f}, which implies 
P | EX f. This results in P(M) — ML{’ (Tor, E*). 

Note that any other theory is the union of some of the above theories. 
The theorem is proven. 


Semi-completeness: K | ML-c(M) implies kK x P(M). 
Proof: Let K K ML-(M). Since K / BL(M), according to Definition 5, 
PPK CPP. Now, we are going to show that > .C—,\. 

Due to K / MLE(M) and PPx C PPw, any self-loop transitions 
P —>x P in K isa self-loop transition P —>y P in P(M). 

Consider a transition P —+x P’, where P’ = PU{f} for a feature 
f ¢ P. We want to show that there is a transition P —>,, P’ in P(M). 
Again, note that any state in K is a partial product of M. To prove this 
statement, according to Definition 7, we need to show that (al) P’ | BL(T), 
(a2) P’ KE BL(EX), and (a3) P — BL'*“(P, f). (al) and (a2) are immediate 
corollaries of K | BL(M). To prove (a3), we need to show that for any 
siblings g with g € P, PE BL(T3,) (see Definition 6). Assume by a way 
of contradiction that P |- BL (724), i.e., g is not completely instantiated in 
P. Since K — ML?°* (Tor), g € P, and P | BL'(T%,,), there must not be 
a transition P —>% P’. This leads us to a contradiction. Thus, (a3) holds. 
Based on the above reasonings, —>+~C—> yy. 

Since PPK C PPy and —>~C—>y, according to Theorem 2, K x 
P(M). 


Completeness: K |— ML(M) iff K = P(M). 
To prove the completeness theorem, we first need the following lemmas 1 
and 2. 

Lemma 1 K — ML°(M) implies PPx = PP. 


Proof: Let kK —-ML°(M). By Theorem 4, PPx C PP. Now we need 
to show that PP C PPK. (We will illustrate general constructs used in 
the proof with our running example - follow the footnotes.) 
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Let P€ PPy and r be the root feature of T. The features included in 
P represent a subtree of T, denoted by Tp, whose root is r.1? 

We do a pre-order depth-first traversal of Tp of a special kind complying 
to i2c-principle: in each level of the tree, all the nodes that are completely 
instantiated must be visited before the other nodes.'! 

Let Sp = (fi,..-, fn) with f; =r be the traversal of Tp. 

The following condition (R) holds:!? 

(R): for all i <n either 

(R-l) f= fy or 
(R-2) Aj <a): fj = fly & Vo € {A,--. Ad: (ot = fla) = 
({fi, ee ea BL (To) i.e., g is completely instantiated in {f1,..., fi}. 

We prove that any prefix subsequence of Sp is a partial product of K 
and so P itself. To this end, we use the following inductive reasoning: 

(base case): K —r implies that Ix = {r} = {fi}. 

(hypothesis): Assume that, for some 1 < i < n, any prefix of the 
sequence (fi,...,f;) is a state in K and there exists a path {fi} —>xK 
st SS A akeeeee ce Let P’ = A hs te 

(inductive step): We want to prove that any prefix of the sequence 
(fi,--- fi, fiz1) is a state in K and there exists the path {f;} —>K --- Kk 
P! — x P’U{fi+i1}. To this end, we need to show that P’U {fi4i1} © PPK 
and there exists a transition P’ —>+~% P’ U{fiii}. We will prove this for 
both cases (R-1) and (R-2) introduced above: 

(R-1). Since P | BL(E%) (note that P € PP ys), adding f;+1 to P’ does 
not violate the exclusive constraints, i.e., P’ / \V BL®* (f41). As fj is freshly 
added to state P’, P’ A \/ fiy. Therefore, P’ = fiAa\V fi, AV BLE* (fi). 
Due to K — ML (7), this implies that there is a transition P!’ —>x 
P’U{fisi}. Hence, {fi,..., fisa} € PPK. 

(R-2). As Vg € P’: (gt = fi.) > (P’ KE BL'(T32)) (note (R-2) above), 
adding f;41 to P’ does not violated i2c,i.e., P’ K BL'?°(f;41). 


10For an example, consider the partial product {car, eng, gear, mnl, oil} in the model in 
Fig. 1. We have the following formulas corresponding to BL(T): eng > car, gear — car, 
mnl — gear, and oil > gear, which clearly represent the subtree (eng) > car < (mnl > 
gear < oil). 

"Yn the running example, gear must be visited before eng, since it is completely 
disassembled in {car, eng, gear, mnl, oil}. In this example, the traversal would result in the 
sequence (car, gear, mnl, oil, eng). 

"car = gear’; gear = mnl'; gear (resp. car) = oil’ (resp. eng’) and mnl (resp. gear) is 
the only sibling of oil (resp. eng) which is completely instantiated. 
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P — BL(EX) implies that any subset of P satisfies BL(EX). Since 
P’ UC fist} CP, P’U {fisi} K BL(EX), which means P’ £ VV BLE*(fi41). 
Since P’ — BL“(fi41)A7V BL°* (fips )ASi,,, and K K ML? (Tor, EX) 
there is a state {f1,..., fisi} © PP such that P’ —+~% P’U{fi41}. Hence, 
PEPPk. 


Lemma 2 Kk — ML(M) implies —-~= — . 


Proof: Let K /ML(M). There are two types of transitions in a ppKS: 
self-loop transitions and others. Note that self-loop transitions denote full 
products. We show that (1) full products of both P(M) and K are the same, 
i.e., the set of their self-loops are the same, (2) Non-loop transitions in K 
and P(M) are the same. (1) is obvious, since K / ML'(M) (note Table 1). 
In the following we also show that the statement (2) holds. 

According to Theorem 4, —>+~%C—>+ ,y. Now what we need is to prove 
that any non-loop transition in P(/) is also a transition in kK. Note that, 
according to Lemma 1, PP«K = PP. Consider a transition P —>,y P’, 
where P’ = PU{f} for a feature f ¢ P. We want to show that there is a 
transition P —> P’ in K. According to Definition 7, P’ —/ BL(T)UBL(E%), 
and P - BL'*°(P, f). Thus, there are two choices: 

(i) BL°“(P, f) =2 

(ii) BL2(P, f) 42 
(i): This implies that the parent of f is freshly added through a transition 
ingoing to P. Hence, due to K — ML (T), there exists a transition P —>¢ 
Pe 
(ii): Since P’ K BL(EX), PK =A\/ BL®*(f). Also, P K BL“(P, f) implies 
that P= BL (t33) for any g € PM (ft),, which means P — BL“(f). 
Hence, due to ML*’ (Tor, €%), there exists a transition P — P’. 

(i) and (ii) implies that any non-loop transition in P(M) is also a tran- 
sition in kK. Hence, —>+)yC— x. 


Proof of Theorem 5 (Completeness): 
Lemma 1 shows that kK - ML°(M) implies PPx = PP. Lemma 2 proves 
that K -/ ML(M) implies —+~= —> 4. Hence, K / ML(M) implies kK = 
P(M). Considering the soundness theorem (Theorem 3), the completeness 
theorem is proven. 
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5.5 Feature modeling without i2c 


The i2c-principle should not be considered as a mandatory requirement 
in generating PPLs from models. Given a model M, let P~'?°(M) denote 
its PPL, whose partial products and transitions do not necessarily meet 
the i2c principle: its set of states is {P C F : P - BL(M) \ BL?“(Tor)}, 
denoted by PPS and its transitions, denoted by — 7", are defined as 
in Definition 7, but the condition (a3) is not required. To build the ppCTL 
theory of P~'2°(M), we just need to subtract the i2c theories from ML(M) 
(i.e., exclude the column i2c from Table 3). Let ML7!2¢(M) and ML='°(M) 


denote the corresponding semi-complete and complete theories for p-i2<( yy ), 
respectively. Then our proofs above provide also the following results (just 


ignore the parts corresponding to i2c). 


Theorem 6 P~'2°(M) K ML~'2°(M). 


Theorem 7 Kk — MLo7*(M) implies K <= P7'*¢(M). 


Theorem 8 K —/ ML~°(M) iff K = P-?°(M). 
Product lines without the i2c-principle have several interesting properties. 


Definition 12 We call a ppKS K Boolean, if a transition between two 
distinct states P,P’! € PP exists iff P C P’ and P’ \ P is a singleton. The 
class of all Boolean ppKSs over a set of features F is denoted by KS®"(F); 
thus, KS®"(F) c KS(F). 


Note that any Boolean ppKS K is determined by a pair of Boolean theories 
(Wx, V},) such that Ui, - Ux: the first theory defines all products in K, 
while the second theory defines (the subset of) full products.!% 

Now it is easy to see that for a given model M, its PPL P~'*°(M) is 
a Boolean ppKS specified by the pair (BL~2°(M), BL'(M)) with the first 
theory, BL7'7¢(M) = BL(M) \ BL'*°(Tor) (see Table 1), specifying partial 
products not necessary satisfying the i2c, and the second one specifying full 
products. This ppKS enjoys the following universal maximality property. 


Proposition 2 Let M ¢ FM(F) be a model. Then any Boolean ppKS 
K € KS®(F) such that K / BL7?°(M) and K § (! > BL'(M)), is a 
substructure of P~2°(M), ie., K < P72*(M). 


3In detail, Ve = \V{U(P): P € PPx} and for a product P = {fi,..., fn}, U(P) = 
A{fi;---;fn,791,--- 79k}, where features g; ¢ P, and sg; denotes negation of g;. Theory 
W', is defined similarly with full rather than partial products. 
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Proof: Let K be a ppKS as above. K / BL~°(M) implies that 
VP €PPxK:P EBL °(M). Therefore, any state in K is a partial product 
not necessary satisfying the i2c of M, i.e., PPK C PP yr. 

Since both K and P~'2¢(M) are in KS®“(F) and PP C PP,)*°, VP, P’ € 
PPK:P#PAP—KP=>P — 7" P’. This means that any non-loop 
transition in K is a non-loop transition in P~'*°(M). Now, we just need to 
show that any self-loop transition in K is a self-loop transition in P~'2°(M). 
Since K K ! > BL'(M), any full product of K is a full product of M, ice., 
VP € PPK: P—x P= P—+)}* P. 


6 Feature model refactoring 


Model refactoring is important for the practice of feature modeling [38]. 
The goal of refactoring is to replace a given model M with a syntactically 
different but semantically equivalent model M’, i.e., having the same (partial) 
products. In this section we investigate what we can say about syntactical 
relationships of two semantically equivalent models over the same set of 
features F’, i.e., such that M, M' ¢ FM(F) and P(M) = P(M’). 

The first lemma shows that their trees must be identical. 


Lemma 3 Given two models M and M’, P(M) = P(M’) > Ty = Tw. 


Proof: Let Ty = (F,r,*) and Ty = (F,r,"). Consider an arbitrary 
feature f ¢ F. We show that f\) C fy and fy C fy, ie, fly = fyy- 
Assume that there is a feature g € F such that g € f\,; but g ¢ fi. The 
latter implies that IP € PP :g € PA f ¢ P, whereas the former implies 
that VP € PP :g € P= fe€P. As these two statements contradict 
each other, fi) C fy. Likewise, fyyy C fiy. Therefore, fy) = fy for 
any feature f€F’, which implies (together with equality between the root 
features) that = ”. Thus, Ty = Ty 

Given a set of Boolean formulas (a theory) UV, we denote its semantic 
closure {@: UK {¢}} by UF (see footnote 7 on page 81 for the definition). 


Given a model M, we mean BL(EX y,)- by ea 


Lemma 4 Given two models M and M’, P(M) = P(M’') > EX}, = Ex. 
i.e., their sets of exclusive constraints are equivalent.!4 


“Note that an exclusive constraint in a model may be derivable from others, e.g., if 
G € EX, then for any feature f ¢ G, GU {f} is a derivable exclusive constraint. This is 
why we have used semantically equality rather than equality. 
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Proof: Let M and M’ be two models such that P(M) = P(M’). According 
to Lemma 3, Tyy = Tyy. Therefore, their corresponding set of incomparable 
features are the same, i.e., (#42"),, = (#2"),y. Let us denote this set by 
Hor’. 

According to the definition of partial products, 

VG € #2° :~Ge Exe, & (APE PPy: PE AG), 

VG € #2F :nG Ee EX, & (AP € PP: PE AG). 
Since PP yy = PP yy, EX}, and EX we must be equal. In other words, EX jy 
and EX yy are semantically equivalent. 

Given a model M, we write (LN yy U OR) to denote (BL(ZN yy) U 
BL(ZNm))F. 


Lemma 5 Given two models M and M’, P(M) = P(M’) => (ZN U 
ORm)F = (IN yy U ORy)F. 


Proof: Let M and M’ be two models with P(M) = P(M’). Then, 
their full products are the same (recall that full products are specified 
by self-loops), which means that BL'(M)- = BL'(M’)F (see row (all!) in 
Table 1). According to Lemma 3 and Lemma 4, (BL(Ty,) U BL(EX yy))F = 
(BL(Ty) UBL(EXy))F. This implies that (BL'(OR yy) U BL'(ZN y))F = 
(BL'(OR yy’) U BLY(ZN y’))F. 


Vv 
PPL. r 


M, © M, +r eRe 
GOR. fs Ge 
r—fVqg 


Figure 5: Ms and M¢ are semantically equal. 


Note that PPLs cannot distinguish between OR and ZN constraints 
in models, as we can replace an OR constraint with an inclusive CC. For 
instance, consider the models Ms 6 in Fig. 5. The features f,g in M5 form an 
OR group, while they are optional in Mg with an inclusive CC “r > f Vg”. 
However, their PPLs are the same (see PPLs¢ in Fig. 5). 

The three lemmas above imply the following important result. Given a 
model M, let us call the sets of Boolean formulas EX yy and OR UZIN y, 
resp., the exclusion and the mandatoriness theories provided by M. 
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Theorem 9 If two feature models M and M’ over the same set of features 
have the same partial product lines, P(/) = P(M’), then the models have 
the same feature tree, the exclusion theories they provide are semantically 
equivalent, and the mandatoriness theories they provide are semantically 


equivalent as well. 


Discussion. The theorem shows that the ppKS semantics for feature models 
accurately captures both their tree structure and constraints. The former 
component (that practitioners often call feature hierarchy) has always been a 
challenging issue for the Boolean semantic [37], but is well manageable with 
our ppKS semantics. That is why we call the ppKS semantics faithful. Note 
also that any standard complete axiomatization of the Booleans semantics 
allows us to replace semantic equivalence above by mutual derivability of 
the theories. 


Figure 6: M7 and Msg are not semantically equal. 


However, given two models with the same tree-structure, equivalent 
exclusive constraints, and the same full products, their PPLs are not neces- 
sarily identical. This fact is due to the i2c principle. As an example, consider 
the two models M7 and Msg in Fig. 6. The only difference between these 
models is that an equivalent inclusive CC has been used in Msg is place of 
an OR group in M7. 

These two models satisfy the conditions (i), (ii), and (iii) in Theorem 9. 
However, their PPLs are not the same. PPL in the figure represents P(Mg). 
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We can get the PPL of M7 by removing the dashed transition from {r, f} to 

{r, f,g} (due to the i2c principle). 
It is easy to see that if we do not consider i2c as a mandatory requirement 

in generating PPLs for models, Theorem 9 above would be bidirectional: 


Proposition 3 Two models over the same set of features, M = (T,OR,EX, 
IN) and M' = (T’,OR’,EX', IN"), are (-i2c)-semantically equivalent, i-e., 
P-2¢(M) = P—2¢(M"), iff the following three conditions hold: (i) T = 7", 
(ii) EXF = EX", and (iii) (ORUIN)F = (OR! UIN’)F 


Proof: Obviously, Theorem 9 holds also on PPLs without i2c, as the 
proofs of Lemmas 3, 4, and 5 have nothing to do with i2c. Consider two 
models M and M’ such that (i), (ii), and (iii) hold for them. We will show 
that P—!2¢() = P—2¢(M). (i) implies that BL(T)y) = BL(Tyy). (ii) implies 
that BL(EXy)F = BL(EXy:)F. Therefore, (BL(EXy) U BL(Ty))F = 
(BL(EX yr) U BL(Tyyr))F, which implies that BL(M)F = BL(M’)F. This 
means that, according to Proposition 2, 

PP =PP 
(iii) implies that (BL'(OR jy) UBL'(ZN y))F = (BL'(OR yr) UBL'(ZN yy). 
Then, considering (i) and (ii), BL'(M)- = BL'(M’)F. Therefore, 

FPu =FPwm. 
Since PP =P fig and FP y = FP yw, according to Proposition 2 and 
the maximality property of PPLs without i2c, P~!#°(M) = P7'2¢(M), 


7 Other Applications of the Modal Logic View of 
Feature Modeling 


In this section, we discuss some concrete tasks in feature modeling, which 
would benefit from the modal logic view of models. 


7.1 Analysis of models 


Analysis of models is an important practical issue, and as industrial models 
can contain thousands of features, the analysis should be automated [4]. A 
big group of analysis problems rely on the Boolean semantics of models. 
For example, given a model M, we may be interested in checking whether 
PL(M) is not empty [39], or whether a given set of features G is a valid 
full product, ie., G € PL(M) [24]. We may also be interested in finding 
the set of common (core) features among all full products, (] PL(M) [39], 
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or checking whether f is a core feature, i.e., f € () PL(M). Specifically, an 
important problem is to find so called dead features, which do not occur in 
any product [24]. A typical practical approach to these analysis problems is 
to encode the model by a Boolean theory, and then use off-the-shelf tools 
like SAT-solvers [3]. 


However, there are some other important analysis problems, in which 
the use of the Boolean semantics can be error-prone. For example, it is often 
important to know if one model M, is a refactoring of another model Mg, or 
a specialization of Mo, or neither [38]. Standard definitions of refactoring and 
specialization are based on semantics, which in the Boolean case gives rise 
to defining refactoring M, ~ Mz as PL(M,) = PL(M2) and specialization 
M, x Mp2 as PL(M,) C PL(M2). However, as we have seen above, the 
Boolean semantics is too poor and makes the definitions above inadequate 
for their goals (see the example in the introduction). Hence, in practice, to 
investigate refactoring and specialization, engineers should work with pairs 
(PL(M), M), whose second component represents the feature hierarchical 
structure not captured by the first component. Working with such pairs 
brings two issues. First, it leads to obvious maintenance problems: if one of 
the components changes, the user must remember to propagate the changes 
to the other component. Second, having a syntactical “non-Boolean” object 
of analysis does not allow us to use SAT (or SMT) solvers. However, the PPL 
semantics allows us to manage both issues. As our completeness theorem 
shows, PPL(M) adequately captures the feature hierarchy, and hence we 
can analyze a single object, PPL(M) or, equivalently, the modal theory 
ML(M). In Sect. 6, we have deeply discussed refactoring in the semantics 
sense (PPLs). 


Finally, there are analysis problems only addressing the hierarchy, e.g., 
finding the Lowest Common Ancestor (LCA) of a set of features in the feature 
tree [29]. The PPL semantics allows us to analyze such a problem by using 
a model checker: given a set of features G and a candidate common ancestor 
feature c, we need to check whether the Kripke structure PPL(M) satisfies 
\G-—c. This way, we could get the set of common ancestors of G. Let us 
denote it by C. Now, to check whether an element | € C is the LCA of G, we 
just need to check if PPL(M) satisfies 1 + AC. Other syntactical analysis 
problems can be approached in the same way: a model M is represented 
by a Kripke structure PPL(M), the problem to be analyzed is encoded 
by a ppCTL-formula ¢, and a model checker tool is used for checking if 
PPL(M) - ¢. 
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7.2  PL-builder vs. PL-user View 


Modal properties of product lines may not be so important for the user, 
for whom a model is just a structure of check-boxes to guide his choices. 
However, modal properties can be important for the vendor, who should 
plan and provide a reasonable production of all products in the product line. 
For example, consider the following scenario. 

Suppose we want to design a chassis with two mandatory components: 
an engine and a frame. An engine is of type e; xor eg, and a frame is of 
type f, xor f2, as specified in the Fig. 7. In general, engine e; better fits 
in frame f;, i = 1,2, but the frame supplier can modify the frame for an 
extra cost. Thus, we have four full products Po U Pi; with Po = {c,e, f} and 
Pi = {e:, fj}, 7 = 1,2 (c,e, and f stand for chassis, engine, and frame, 
resp.). 


Mi chassis PPL,, a 
engine frame c,e I 
/ \ c,f, f1 c,f,f2 
e e fy f, c,e,e1 c,e,e2 
Ne ts P a a 
eae f c,e,e2,f c,f,fl,e c,f,f2,e 
eae: os 


Figure 7: A model of an Engine Frame (a), and its PPL (b) 


There are two ways for assembling the chassis. If we first decide on 
the engine type, then, for engine e;, we may choose either to order frame 
fi, or frame f;, 7 # 7, with a suitable modification, depending on what 
is cheaper (we assume that each frame type has its own supplier). Thus, 
from each product Po U {e;}, 7 = 1,2 there are two transitions as shown in 
Fig. 7. However, if we first decide on the frame type, then only the engine 
of the respective type can be mounted on the frame, and transitions from 
PoU{fi} to Po U{fi,ej} 7 A 7 are illegal (shown dashed/red in Fig. 7). To 
exclude the illegal transitions from the ppl, we need to add to the model the 
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following two modal CCs: (f; \ e A me;) + AX-e; for i,j € {1,2} and i F j. 
Such constraints cannot be expressed in BL as they do not change the set of 
partial products, and only transition are affected. 


7.3 Reverse Engineering of models 


Reverse engineering of models is an active research area in feature modeling. 
It addresses the following problem: given a PL, we want to build an ap- 
propriate model representing the PL. Depending on the PL representation, 
current approaches are grouped into two kinds: reverse engineering of models 
from (a) Boolean logic formulas [14], and (b) from textual descriptions of 
features [2,30]. She et al. in [37] argue that none of these approaches is 
complete. Indeed, the main challenge is to recover an appropriate hier- 
archical structure of features. The Boolean logic approach is incomplete, 
since, as already discussed, the Boolean logic semantics cannot capture the 
feature hierarchy. The textual approach is also deficient as it is informal, and 
also “suggests only a single hierarchy that is unlikely the desired one” [37]. 
To relieve the deficiencies of these approaches, the current stat-of-the-art 
approach [37] proposes a heuristics-based procedure, which uses both types 
of input. However, if we take the given input to be the ppCTL theory of the 
PL, reverse engineering of models becomes simpler and more manageable, as 
the theory contains everything needed to build a corresponding model. Also, 
our careful decomposition of a model’s structure and the respective theories 
into small blocks allows better tuning of the reverse engineering process. Our 
ML theories ML(T), ML'(OR)U ML'(ZN), and ML(E2) capture, resp., the 
tree-structure T, the mandatoriness requirements (OR-groups and inclusive 
crosscutting constraints), and the exclusive constraints. 


8 Related Work 


We discuss the connection between models and event modelling of concurrent 
systems in Sect. 8.1; other related work is discussed in Sect. 8.2. 


8.1 Feature vs. Event-based Concurrency Modeling 


In this section, we summarize similarities and differences between feature 
modeling and event-based concurrency modeling. We also point to several 
possibilities of fruitful interactions between the two disciplines. 
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Following the survey in [40], we distinguish three approaches in event 
modeling. The first is based on a topological notion of a configuration 
structure (E,C) with E a (possibly infinite) set of events, and CC2” a family 
of subsets (usually finite) of events, which satisfy some closure conditions (e.g., 
under intersection and directed union). Sets from C are called configurations 
and understood as states of the system: X € C is a state in which all events 
from X already occurred. 

In the second approach, valid configurations are specified indirectly 
by some structure D of dependencies between events, which make some 
configurations invalid. Formally, some notion of validity of a set X C E 
with respect to D is specified so that an event structure (E,D) determines 
a configuration structure {X C FE: X is valid with respect to D}. Typical 
representatives of this approach are Winskel’s prime and general event 
structures [41], and Pratt’s event spaces [33]. 

The third approach, originating in [20], is an ordinary encoding of sets 
of propositions by Boolean logical formulas. Then an event model is just 
a Boolean theory, i.e., a pair (F,®) with ® a set of propositional formulas 
over set £ of propositions. The left half of Table 5 summarizes this rough 
mini-survey. 


Table 5: Event vs. feature modeling 


Event Feature Models 
Approach 
Models Boolean Modal 
Topological (E,C) (F,PP,FP) (F,PP,-,D) 
Structural (E,D) (FM) 
Logical (E,®) | (F,BL(M),BL'(M)) | (F,ML(M)) 


Importantly, transitions between states are typically considered a de- 
rived notion: in [20], any set inclusion is a transition, and in [40], special 
conditions are to hold in order for a set inclusion to be a valid transition. A 
notable exclusion is event automata in [31], i.e., tuples (E,C,—, 1) with > 
a given transition relation over configurations (states), and J € C an initial 
state. 

Feature modeling is directly related to event modeling, and actually can 
be seen as a special interpretation of event modeling. Indeed, features can 
be considered as events, (partial) products as configurations, and models as 
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special event-structures: An model M = (Tor,€X,IN) can be seen as a 
special encoding of a set of dependencies analogous to D (the middle row 
of the table). An important distinction of the Boolean feature modeling is 
the presence of a special subset of final states (products), so that feature 
modeling’s topological and logical counterparts are triples rather than pairs 
(see the Boolean column in the table). Pinna and Poigné in [31] mention 
final states (they call them quiescent) but do not actually use them, whereas 
for feature modeling, final products are a crucial ingredient. 


The last column of the table describes feature modeling’s basic topo- 
logical and logical structures in the modal logic view: the upper row is our 
notion of ppKS, and the bottom one is the theory specified in Sect. 5. Our 
ppKS is exactly an event automaton with quiescent states, which, addition- 
ally, satisfies the conditions of Left-totality of the transition relations and 
Self-loops only, but Pinna and Poigné do not apply modal logic for specifying 
event automata’s properties (and do not even mention it); they also do not 
consider the i2c-principle. 


The comparison above shows enough similarities and differences to hope 
for a fruitful interaction between the two fields. We are currently investigating 
what feature modeling can usefully bring to event modeling; and can mention 
several simple findings. The presence of two separate Boolean theories allows 
us to formally distinguish between enabling and causality [20]. Also, we are 
not aware of propositional specifications of transient conflicts (discussed on 
page 84) such as our Boolean and modal encoding of i2c. These encodings 
are nothing but a compact formal specification of a transaction mechanism, 
which is usually considered to be non-trivial. 


Recently similar generalizations were proposed for event modeling in the 
formalism of DCR-Graphs [21]. DCR-Graphs employ two relations between 
events, condition (the same as the causality relation in prime event structures) 
and response, that correspond to our subfeature and mandatoriness relations, 
respectively. Their markings roughly correspond to our partial products, and 
initially required response events somehow correspond to full products. DCR- 
Graphs also use two additional relations dynamic include/exclude, which 
allow them to model several important constructs in concurrent distributed 
workflow, including transient conflicts. However, we conjecture that models 
provide more expressiveness for event modeling than DCR-Graphs do. The 
main reason is that response events (dually) correspond to maximal runs of 
configurations. Correspondence between response events and full products 
would then enforce full products to be terminal in our PPL, while there 
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are models with some non-terminal full products (for instance, see Fig. 2). 
A detailed comparative analysis of models and DCR-Graphs should be an 
interesting research task. 

These observations show that a simple feature model formalism is 
capable of encoding complex modal theories specifying non-trivial concurrent 
phenomena. 


8.2 Related Work in Feature Modeling 


Formal Language based Approaches. Several approaches, [3, 12, 15], 
and [35], have been proposed connecting feature modeling to formal languages. 
The closest work to ours is [35], where we provided a semantics for cardinality- 
based feature models (a generalization of models in which we deal with feature 
instances) by using formal languages as the semantic domain. We first 
proposed a generalization of cardinality-based FDs (CFDs), called cardinality- 
based regular expression diagrams (CRDs) in which a label of a node can be 
any regular expression built over a set of features. Then, a reduction process 
was provided going from a given CRD to a regular expression. It was proven 
that the regular expression generated for a given CFD captures both the full 
products and the hierarchy of the CFD. As for CCs, we proposed a language 
interpretation of them, which allowed us to integrate the semantics of CFDs 
and CCs over them. 

The main similarity between the two approaches is that they both 
provide faithful semantics for feature modeling. However, they do so in two 
different ways. To be able to discuss their differences in detail, we transform 


Figure 8: (a) M, (b) P(M), (c) A(M) 


PPLs to automata as follows. The singletonicity property in ppKSs (see 
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Definition 9) allows us to transform PPLs into finite state automata (FSA) 
in a straightforward way. Indeed, there is a duality between a PPL and 
its corresponding FSA. Fig. 8(b) represents the PPL of the model M in 
Fig. 8(a)— the full products are circled. Fig. 8(c) represents the corresponding 
FSA of the PPL, where the final states are identified by double circles. Let 
A(M) denote this automaton. Applying the translation procedure on M 
described in [35], the regular expression generated for M would be equal 
to R=c (eb (+a) +b (e€ +a) e). Note that there are infinite number of 
automata whose languages are equal to the language of R. On the other 
hand, the Kripke approach generates a unique automaton for a given model, 
as we saw in the example above. Roughly speaking, the Kripke approach is 
an imperative approach, while the language approach is a declarative one. 
Also, the language of A(/) is not equal to the language of R. (the latter is 
a proper subset of the former.) 


Algebraic Approaches. An algebraic model based on commutative 
idempotent semirings was developed in [22]. Given an model M, its PL is 
encoded as a term in the algebra generated by M’s leaf features, so that 
non-leaf features are derived. In contrast, for us, all features are basic, which 
better conforms to a common feature modeling practice. 


Amongst algebraic models for PLs, the closest to ours is a process 
algebra, called PL-CCS [26], which extends the classical CCS by an operator 
® to model variability. Each @ occurrence in a PL-CCS expression is 
equipped with a unique index, and runtime occurrences with the same index 
must make the same choice. Processes are interpreted as products and 
the behaviour of a PL is given by a set of processes whose semantics is 
given by multi-valued Kripke structures. There are interesting similarities 
and differences between PL-CCS and our approach. In PL-CCS, a PL’s 
behaviour is reconstructed from an immediate PL specification. In contrast, 
we extract the behaviour from the model, which we have shown can be seen 
as an indirect PL’s specification providing everything needed to reconstruct 
the behavior. We might say that in PL-CCS, the expressive power of models 
is underestimated as they are seen in the Boolean perspective. Importantly, 
PL-CCS allows for recursive definitions of processes, which makes it more 
expressive than our ppCTL. However, allowing recursive product definitions 
leads us beyond the boundaries of the tree-based models and our goals in the 
present paper. Iterative definitions are possible in cardinality-based models. 
On the other hand, crosscutting constraints cannot be expressed in PL-CCS, 
but are readily specified in our approach (we even allow for modal CCs). 
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Staged Configurations. Czarnecki et al introduced and developed 
the concept of (multi-level) staged configuration in [11,13]: given an model 
M, its full products are instantiated via consecutive specializations (called 
stages) of M by either discarding an optional feature or making it mandatory 
for the stage at hand and all consecutive stages. This process is continued 
until a fully specialized model denoting only one configuration is reached. A 
formal semantics for such multi-level staged configurations was defined by 
Classen et al [9]. The idea was further developed by Hubaux et al [23], who 
proposed to map models to tasks and conditions of workflows. Their approach 
supports parallel execution of stages and choice between them, and iterative 
configurations. Although both PPLs and configuration stages show how to 
instantiate full products, they are essentially different. Configuration paths 
are sequences of models with decreasing variability, whereas instantiation 
paths in PPLs are sequences of products with increasing commonality. Thus, 
the two frameworks aim at different goals and are somewhat orthogonal (but, 
of course, PPLs cover variability too as full products are included into PPL). 


Feature Transition Systems. In a series of papers summarized in [8], 
Classen et al proposed an elegant and effective solution to checking a given 
pl of transition systems (TS) in a single run of a model checker rather than 
checking each of the TSs separately. The entire pl is encoded as a feature 
TS (FTS), in which transitions are labeled by both actions and Boolean 
expressions over features as Boolean variables. A truth assignment to the 
feature variables defines the behaviour of a single product, and the FTS as a 
whole represents the entire pl. They also defined a logic {CTL to allow CTL 
properties to refer to specific products in the line and extended the model 
checking procedures to support checking FTSs against {CTL properties. 
Their tools are capable of reporting, in a single model checking run, all 
products for which a property holds, as well as those for which it fails to hold. 
In [10], Cordy et al extend a common model checking framework known as 
CEGAR, to support FTSs as well. Thus, FTS and our idea are orthogonal 
ideas: for the former, a product is a TS, while for us a product is a set of 
features without any functional properties. These two ideas can be combined 
in a single formalism, but we leave it for future work. 


Hierarchical Multiset Semantics. Safilian and Mibaum in [34] pro- 
pose a multiset-based theory for a given CFD, which is called the hierarchical 
theory of the CFD. The theory is based on a defined hierarchy of multisets 
over the set of features. The hierarchical theory of the CFD is a subset of 
this hierarchy. It is shown that the theory captures all information about 
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the diagram (even explicitly distinguishing between the grouped and solitary 
features). The theory provides a promising theoretical framework to address 
some challenging issues in feature model management and reverse engineering 
of CFDs. However, they have not managed CCs in their theory (mentioned 
as a future work). 


9 Future Work 


We describe several interesting open problems in the modal logic view of 
models, which would be theoretically and practically important. 


(i) Complete Axiomatic System for ppCTL. Finding a sound and 
complete axiomatic system for ppCTL is theoretically interesting. It would 
be also important in practice to do automated analysis over basic feature 
models (see (ii) below). As we know, ppCTL is a fragment of CTL plus a 
constant modality !. Several sound and complete axiomatic systems have 
been proposed for CTL, including [17], [5], and [25]. We can take advantage 
of these axiomatic systems to approach a sound and complete axiomatic 
system for ppCTL. 


(it) Modal logic theory of Boolean semantics. Let VU be a Boolean 
theory over a set of atomic propositions F', and PPL(VW) ={PCF: PEW} 
its set of models. We can consider PPL(W) as a discrete Kripke structure 
without transitions (and injective labeling). We can convert it into a normal 
Kripke structure P(W) by considering inclusions between states, and only 
them, as transitions. Now for a modal formula ¢ in some modal logic ML, 
we write UV E* ¢ if P(V) Emi ¢. Note that while the latter relation is an 
ordinary semantic entailment (for the logic ML), relation * is between 
formulas in different logics. Specifically, if our modal logic has a zero-ary 
modality, then we can define (WV, W’) E* ¢ for a pair of Boolean formulas such 
that UW’ Ep. VY. These considerations show that modal logic can be employed 
for specifying properties of Boolean semantics, i.e., as a meta-theory for 
Boolean logic. We are not aware of a systematic study of this construction. 
For example, how could the relations E* be axiomatized? 


(iit) Automated analysis of models. To implement analysis operations 
over a given feature model M, one could apply either a model checker or 
theorem prover. To apply a model checker, we need to transform M to its 
PPL P(M) and characterize given analysis problems in terms of ppCTL 
formulas. We plan to implement the analysis operations over some realistic 
examples using existing model checking tools. To take advantage of theorem 
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provers, we first need to have a complete axiomatic system for our logic. 
There exist some theorem provers such as BDDCTL [28], CTL-RP [42], and 
MLSolver [18], which can be used for reasoning about the CTL formulas. 


(iv) Process algebras for ppKSs and models. Industrial systems are 
often very complex, and software companies usually design their systems by 
utilizing smaller systems, which themselves are produced by other compa- 
nies [1]. Therefore, bigger feature models could be seen as composed from 
several smaller models. Hence, having a compositional way of defining com- 
plex models and their corresponding PPLs based on some algebra becomes 
important. 


(v) Strong version of i2c. Recall that the current version of the i2c 
principle says that two incomparable features can be included together 
in a partial product if at least one of them has been already completely 
instantiated. The current version of this principle is unavoidable, if we would 
like to realize a step-by-step computation; this is why ppKSs are enforced 
to satisfy the singletonicity condition (see Definition 9). However, in some 
contexts like concurrent systems, it also makes sense to consider a stronger 
version of the i2c principle: two incomparable features can be included 
together in a partial product if they both have been already completely 
instantiated. We plan to specify such a stronger version of the i2c-principle, in 
which a full product instantiation is always a transaction (which corresponds 
to replacing disjunction by conjunction in the definition of theory BL'“(Tor), 
row (3) in Table 1). To address this problem, we would first need to modify 
the definition of ppKSs, as the singletonicity condition would not hold 
anymore. The logic would be the same, but the ppCTL theory of a given 
model satisfying the strong i2c principle changes (which makes the problem 
challenging). 

(vi) Reverse engineering of models. In Sect. 6, we have shown that the 
PPL of a given model captures the tree structure, the exclusive constraints 
(up to equivalence), and the mandatoriness constraints (up to equivalence). 
Since the set of features and also the PPL are finite, finding the components 
of an appropriate model (a model, which is refactoring of the original model) 
would be algorithmic. We plan to address this problem in our future work. 


10 Conclusion 


We presented a novel behavioural view of models, in which a product is an 
instantiation process rather than its final result. We called the states of 
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this process partial products, and showed that the set of partial products 
together with a set of (carefully defined) valid transitions between them can 
be considered as a special Kripke structure, whose properties are specifiable 
by a special fragment of CTL enriched with a constant modality. We called 
this logic ppCTL. Our main result show that a model can be considered 
as a compact representation of a rather complex ppCTL-theory. Thus, 
the logic of feature modeling is modal rather than Boolean. We have also 
discussed several concrete tasks in feature modeling, which would benefit 
from using the modal logic view of models. These tasks include refactoring of 
models, analysis of models, reverse engineering of models, and specification 
of cross-cutting constraints. 
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A Appendix. The BL and ppCTL theories of our 
running example (model M1 in Fig. 1) 


In this section, we instantiate the general proofs in Sect. 5 with our running 
example data. Let us denote the model in Fig. 1 by M = (T,OR,EX,IN), 
where T is the tree of the model, and the other three components denote 
the respective three structures over T. In detail, T = (F,r,_'), where 
F = {car, eng, gear, brakes, gas, elec, mnl, atm, oil, abs}, 7 = car, and mapping 
_t is defined as follows: eng? = gear? = brakes! = car, gas! = elect = eng, 
mnit = atm? = oil’ = gear, abs’ = brakes. 

Mappings OF is defined as follows: 
OR(car) = {{eng}, {gear}, {brakes}}, OR(eng) = {{gas,elec}}, OR( 
gear) = {{mnl, atm}, {oil} }, and OR(brakes) = ©. 

Finally, sets EY and ZN are as follows: EX = {{elec, mnl}, {mnl, 
atm}}, and ZN = {atm — abs}. 


A.1 The Boolean theory 


According to Table 1, the Boolean theories associated with each of M’s 
components are as follows: 
The elements of BL(T): 


T — car 
eng — car, gear— car, brakes > car 
gas > eng, elec > eng, (1) 
mnl — gear, atm — gear, oil > gear, 


abs — brakes. 
The elements of BL(E%): 


elec A mnl > L, 


mnl A atm > L. 
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The elements of BL'(OR): 


car > eng, car — gear, car — brakes, 
eng — gas V elec, (3) 
gear > mnlV atm, gear — oil. 


The elements of BL'(ZN): 
atm — abs. (4) 


To obtain the theory BL'*°(Toz) (Boolean theory of i2c), we need to 
find the corresponding formulas, according to line (3) in Table 1, for the 
siblings, i.e., for the pairs (eng, gear), (eng, brakes), (gear, brakes), (gas, elec), 
(mnl, atm), (mnl, oil), and (atm, oil). Note that, for two sibling leaves f and 
g (ie., ft =" and f, = g, =), the corresponding formula, f Ag > f Vg 
(since BE"**(T2,,.) = {7 > f} = {f} and BL?*(7g,,)={7 + 9} ={9}), is 
a tautology. Therefore, since gas, elec, mnl, atm, oil are leaves, the Boolean 
i2c formulas associated with the pairs (gas, elec), (mnl, atm), (mnl, oil), and 
(atm, oil) are all tautologies. Thus, the elements of BL'*“(Tor)! are: 


eng /\ gear — (gas V elec) V ((mnl V atm) A oil), 
eng / brakes —> (gas V elec) V brakes = T, 
gear /\ brakes — ((mnl V atm) A oil) V brakes = T. 


Thus, /\ BL’“(Tor) = 
eng / gear — (gas V elec) V ((mnl V atm) A oil). (5) 


According to line (all') in Table 1, the BL theory of the full products 
of M, BL'(M), is the set of all elements in (1), (2), (3), and (4). Thus, the 
theory /\ BL'(M ) would be semantically equivalent to the conjunction of the 
following elements: 

car /\ eng A gear A brakes, 
(gas V elec) A (mnl V atm) A oil, 
(mnl A atm — L) A (elec A mn! > 1), 
(abs —> brakes) 


(6) 


According to line (all) in Table 1, the BL theory of the partial products 
of M, BL(M), is the set of all elements in (1), (2), and (5). 


Note that we wrote the semantically equivalent formulas, e.g., the second element 
would be eng /( brakes — ((gas V elec) A eng) V (brakes). 
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A.2 The ppCTL theory 


According to Table 3, the semi-complete theory of P(M), MLc(M), is equal 
to the union of BL(/) and the following ML theories: 


The elements of ML (OR): 


! ! ! 
car + O'eng, car — O'gear, car — UO'brakes, 


eng > ' (gas V elec), (7) 
gear > O'(mnl V atm), gear > Coil. 
The elements of ML (IN): 
atm — Olabs (8) 
The elements of MLt (M): 
| ri BL'(M), where BL'(M) can be found in (6) (9) 


The elements of ML2°* (Tor)!°: 


eng A mgear A mgas A selec + EX gear, 


gear /\ meng / (oil V (amnl A satm)) + —EX eng, (10) 
eng A abrakes A agas A selec — —EX brakes, 


gear /\ sbrakes A (—oil V (=mnl A satm)) — EX brakes 


According to Table 3, to get the complete theory of P(M) (ML()) 
we need to add the following ML theories to the semi-complete theory 


(ML<(M)). 


16 According to Table 4, there is a corresponding formula for each pair of sibling features 
f and g. For our example, the corresponding formulas for other pairs of siblings are 
tautologies, e.g., take f = brakes and g = eng: the corresponding formula would be 
(brakes \ eng A brakes + 4EX eng) = (1 — 7EX eng) 
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The elements of ML4 (7):17 


car (\ (eng V gear V brakes) — EX eng (A EX gear / EX brakes, 
eng A (gas V elec) A —=mnl — EX elec, 
eng /\ (gas V elec) + EX gas, 
gear \ —=(mnl V atm V oil) A selec A satm — EX mal, 
gear ( =(mnl V atm V oil) A smn! — EX atm, 
gear ( —=(mnl V atm V oil) > EX oil, 
brakes \ abs — EX abs. 


The elements of ML! (M): 
\ BL'(M) —!, where BL'(M) can be found in (6) 
The elements of ML*’ (Tor, €%): 


(gear — (mnl V atm) A oil) A car + EX eng, 
(eng — gas V elec) \ car —> EX gear, 
(eng — gas V elec) A (gear — (mnl V atm) A oil) A car — EX brakes, 

eng — EX gas, 

eng A —=mnl —> EX elec, 

gear A elec \ satm — EX mn, 

gear \ amnl — EX atm, 

gear > EX oil, 
brakes — EX abs. 


(11) 


(12) 


The complete ML theory of the tree-structure, ML(T) = BL(T) U 


ML‘ (7), would be the set of all elements in (1) and (11). 


The complete ML theory of exclusive constraints, ML(EV) = BL(E*), 


would be the set of formulas in (2), which is semantically equivalent to 


mnl A (elec V atm) > L. 


The complete ML theory of the OR component, ML'(OR) = MLi (OR), 
would then be the set of formulas in (7), which is equivalent to the conjunction 


of the formulas car > 


‘(eng A gear / brakes), eng > 


gear — O'(oil A (mnl V atm)). 


'(gas V elec), and 


17The first element is the combination of three original elements of the set. 
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The complete ML theory of inclusive constraints, ML'(ZN) = MLE(ZN), 
is then {atm — Dabs}. : 

The complete ML theory of i2c, ML'7°(Tor) = BL'**(Tor )UML2“ (Tor), 
would be the set of all formulas in (10) and (5). . 

The complete ML theory of the full products, ML'(M) = MLe(M) U 
ML! (M), would be equivalent to ! 4 /\ BL'(M), where BL'(/) was defined 
in (6). 

The complete ML theory of the partial products, ML°(M) = BL(M) U 
ML‘, (7) UML*’ (Tor, E*%), is the set of formulas in (1), (2), (5), (11), and 
(13). 
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